On Thu, Sep 19, 2002 at 06:17:20PM +0200, Roman Drahtmueller wrote:
I just had a brief talk with the maintainer of the SuSE sendmail-tls package a few doors down the hallway. He said that he regrets that sendmail-tls is statically linked, but it was a requirement from a time long ago, imposed by a customer. So I guess that customer is to blame.
Olaf will sent out an announcement in a few minutes that should clarify the missing snippets in the puzzle for everybody. In fact, more packages other than just the openssl packages need to be updated in some rare cases.
Does that mean that one has to wait quite long until sendmail-tls gets updated (or becomes a dynamically linked package)? Since there are already several exploits of apache ssl, I think it's too risky to run a vulnerable sendmail-tls. I hope this hint is okay: To deactivate TLS in sendmail it seems to be sufficient to insert a wrong filename in the line "O ServerCertFile=..." Of course I'd prefer to have a working sendmail-tls. Otherwise I'll get a lot of question from people who wonder why they cannot send mails any more...
Stand by.
OK. How long? Thanks and bye, Hatto